Hi,
Whole Sunday I was struggling with setup switch (TL-SG108PE) VLAN settings. Router sw: OpenWrt 24.10-SNAPSHOT, r28627-0b392b925f, hw: Xiaomi Mi Router AX3000T.
Goal is send over LAN3 via trunk port to port 1 at switch four tagged VLANs like below. I setup switch VLAN and PVID section like on picture below but it dosn't work - device connected to any ports (2-8) don't get IP. I check everything many times and don't see any mistake. VLANs assigned to wireless SSID works fine.
Could I ask for support at this is issue?
root@GW_OpenWRT:~# cat /etc/config/network
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config bridge-vlan
option device 'br-lan'
option vlan '5'
list ports 'lan3:t'
config bridge-vlan
option device 'br-lan'
option vlan '6'
list ports 'lan3:t'
list ports 'lan4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '7'
list ports 'lan3:t'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan2:u*'
list ports 'lan3:t'
config interface 'iot'
option proto 'static'
option device 'br-lan.5'
option ipaddr '172.16.5.1'
option netmask '255.255.255.0'
config interface 'tv'
option proto 'static'
option device 'br-lan.6'
option ipaddr '172.16.6.1'
option netmask '255.255.255.0'
config interface 'nvr'
option proto 'static'
option device 'br-lan.7'
option ipaddr '172.16.7.1'
option netmask '255.255.255.0'
Let's review the complete config of your router.
Also, just curious why you are using snapshot rather than a standard sable release?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Thank you for quick answear. Below please find data you woudl like review in order.
I'm following for years polish guy (https://eko.one.pl/) who is building the latest version of OpenWRT, never had issue related with using SNAPSHOT.
{
"kernel": "6.6.86",
"hostname": "GW_OpenWRT",
"system": "ARMv8 Processor rev 4",
"model": "Xiaomi Mi Router AX3000T",
"board_name": "xiaomi,mi-router-ax3000t",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10-SNAPSHOT",
"revision": "r28627-0b392b925f",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10-SNAPSHOT r28627-0b392b925f",
"builddate": "1745693631"
}
}
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf6:cc05:9361::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr 'xxxx'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'openvpn_tun0'
option proto 'none'
option device 'tun0'
config interface 'wg0'
option private_key 'xxxxxxxxxxxxxxxxxxxxx'
option listen_port 'xxxx'
option addresses '10.9.0.1/24'
option proto 'wireguard'
config wireguard_wg0
option public_key 'xxxxxxxxxxxxxxxxxxxxx'
option route_allowed_ips '1'
list allowed_ips '10.9.0.2/32'
option persistent_keepalive '25'
option description 'Xiaomi_Mi10T'
config wireguard_wg0
option public_key 'xxxxxxxxxxxxxxxxxxxxx'
option route_allowed_ips '1'
list allowed_ips '10.9.0.3/32'
option persistent_keepalive '25'
option description 'ICR-2431'
config wireguard_wg0
option public_key 'xxxxxxxxxxxxxxxxxxxxx'
option route_allowed_ips '1'
list allowed_ips '10.9.0.4/32'
option persistent_keepalive '25'
option description 'TP-LINK_TL-WDR4300_v1'
config wireguard_wg0
option public_key 'xxxxxxxxxxxxxxxxxxxxx'
option route_allowed_ips '1'
list allowed_ips '10.9.0.5/32'
option persistent_keepalive '25'
option description 'Orbi RBR50'
config bridge-vlan
option device 'br-lan'
option vlan '5'
list ports 'lan3:t'
config bridge-vlan
option device 'br-lan'
option vlan '6'
list ports 'lan3:t'
list ports 'lan4:t'
config bridge-vlan
option device 'br-lan'
option vlan '7'
list ports 'lan3:t'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan2:u*'
list ports 'lan3:u*'
config interface 'iot'
option proto 'static'
option device 'br-lan.5'
option ipaddr '172.16.5.1'
option netmask '255.255.255.0'
config interface 'tv'
option proto 'static'
option device 'br-lan.6'
option ipaddr '172.16.6.1'
option netmask '255.255.255.0'
config interface 'nvr'
option proto 'static'
option device 'br-lan.7'
option ipaddr '172.16.7.1'
option netmask '255.255.255.0'
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/18000000.wifi'
option channel '1'
option band '2g'
option htmode 'HE20'
option country 'PL'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'iot'
option mode 'ap'
option ssid 'IoT'
option encryption 'psk2+ccmp'
option key 'xxxxxxxxxxxxxxxxxxxxx'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/18000000.wifi+1'
option channel '36'
option band '5g'
option htmode 'HE80'
option country 'PL'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'LAN'
option encryption 'sae-mixed'
option key 'xxxxxxxxxxxxxxxxxxxxx'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'Garmin'
option encryption 'psk2'
option key 'xxxxxxxxxxxxxxxxxxxxx'
option network 'tv'
option disabled '1'
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ra_slaac '1'
config dhcp 'iot'
option interface 'iot'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'tv'
option interface 'tv'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'nvr'
option interface 'nvr'
option start '100'
option limit '150'
option leasetime '12h'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'openvpn_tun0'
option network 'openvpn_tun0'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option family 'ipv4'
option mtu_fix '1'
option masq '1'
config rule
option name 'VPN'
option target 'ACCEPT'
option dest_port 'xxxx'
option src 'wan'
option proto 'udp'
option family 'ipv4'
config rule
option name 'Allow-ssh-via-VPN'
option src 'openvpn_tun0'
option target 'ACCEPT'
option proto 'tcp'
option dest_port '22'
option family 'ipv4'
config rule
option name 'Allow-IPv4-ping-via-VPN'
option src 'openvpn_tun0'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DNS-via-VPN'
option src 'openvpn_tun0'
option proto 'udp'
option dest_port '53'
option family 'ipv4'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'openvpn_tun0'
option family 'ipv4'
config forwarding
option src 'openvpn_tun0'
option dest 'lan'
option family 'ipv4'
config forwarding
option src 'openvpn_tun0'
option dest 'openvpn_tun0'
option family 'ipv4'
config rule
option name 'wireguard'
option src 'wan'
option target 'ACCEPT'
option proto 'udp'
option dest_port 'xxxx'
config zone
option name 'wg'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option network 'wg0'
config forwarding
option src 'wg'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wg'
config forwarding
option src 'openvpn_tun0'
option dest 'wg'
config zone
option name 'IoTZone'
option network 'iot'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option family 'ipv4'
config zone
option name 'TVZone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option family 'ipv4'
list network 'tv'
config rule
option src 'TVZone'
option proto 'udp'
option src_port '67-68'
option dest_port '67-68'
option target 'ACCEPT'
option family 'ipv4'
option name 'TV DHCP'
config rule
option src 'TVZone'
option target 'ACCEPT'
option family 'ipv4'
option name 'TV DNS'
option dest_port '53'
list proto 'tcp'
list proto 'udp'
config zone
option name 'NVRZone'
option network 'nvr'
option input 'REJECT'
option output 'REJECT'
option forward 'REJECT'
option family 'ipv4'
config forwarding
option src 'lan'
option dest 'IoTZone'
option family 'ipv4'
config forwarding
option src 'lan'
option dest 'NVRZone'
option family 'ipv4'
config forwarding
option src 'openvpn_tun0'
option dest 'NVRZone'
option family 'ipv4'
config forwarding
option src 'TVZone'
option dest 'wan'
option family 'ipv4'
I'm not seeing any errors with your config...
I would recommend that you either ask the maintainer of your current build, or install OpenWrt from here. Per my comment above, I'm not seeing any errors as I glance through your config, so maybe something is different with the way this particular build works.
Actually, I do see two issues:
- remove the source port for this rule:
And then the nvr zone is all set to reject with no additional rules for DNS or DHCP. You need output to be set to accept for routing to work, and that network won't be able to use DHCP (and DNS) because of the fact that you haven't created an allow DHCP (and DNS) rule like you did for the TV zone
1 Like
Hi,
Thank you for reply. Like you wrote there is nothing wrong with settings (except missing firewall rule for NVRZone - I added). Finally I managed this. Rootcause was... wrong ethetner patchcord labeling - trunk cable from router instead connected to port 1 was onnected to pord 5 of switch. I'm so embarassed due to this. Before I post this message many times checked settings but I don't suspect hardware issue. Thank you for your review.
